CVE-2024-55879
📋 TL;DR
This vulnerability allows any XWiki user with script rights to execute arbitrary remote code by adding XWiki.ConfigurableClass instances to pages. This compromises the entire XWiki installation's confidentiality, integrity, and availability. All XWiki installations from version 2.3 up to (but not including) 15.10.9 and 16.3.0 are affected.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control over the XWiki server, potentially leading to data theft, destruction, or lateral movement to other systems.
Likely Case
Attackers with script rights exploit this to execute arbitrary code, compromising the XWiki instance and potentially the underlying server.
If Mitigated
If script rights are strictly controlled and only granted to trusted administrators, risk is significantly reduced but not eliminated.
🎯 Exploit Status
Exploitation requires script rights but is straightforward once those rights are obtained. The advisory provides technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 15.10.9 or 16.3.0
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r279-47wg-chpr
Restart Required: Yes
Instructions:
1. Backup your XWiki installation and database. 2. Download XWiki 15.10.9 or 16.3.0 from the official website. 3. Replace the existing installation with the patched version. 4. Restart the XWiki service or application server.
🔧 Temporary Workarounds
No workarounds available
allThe vendor advisory states no known workarounds exist except upgrading.
🧯 If You Can't Patch
- Immediately revoke script rights from all non-essential users and audit user permissions.
- Implement network segmentation to isolate the XWiki server and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check your XWiki version. If it's between 2.3 and 15.10.9 (excluding 15.10.9) or between 15.10.9 and 16.3.0 (excluding 16.3.0), you are vulnerable.Check Version:
Check the XWiki administration panel or view the xwiki.properties file for version information.Verify Fix Applied:
After upgrading, verify the version is exactly 15.10.9 or 16.3.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual page modifications involving XWiki.ConfigurableClass
- Unexpected script execution events
- Suspicious user activity from accounts with script rights
Network Indicators:
- Unusual outbound connections from the XWiki server
- Unexpected network traffic patterns
SIEM Query:
Search for events where user with script rights modifies pages containing 'XWiki.ConfigurableClass' or similar suspicious patterns.